CVE-2026-5828 - Vulnerability Details

- code-projects Simple IT Discussion Forum addcomment.php sql injection

Description

A vulnerability was found in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /functions/addcomment.php. The manipulation of the argument postid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.

Published: 2026-04-09

Score: 6.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an SQL injection flaw located in the addcomment.php file of the Simple IT Discussion Forum, where manipulation of the postid argument allows attackers to inject arbitrary SQL. This flaw can be exploited remotely to gain unauthorized access to the underlying database, potentially exposing or modifying sensitive information. The attacker can execute any SQL statement that the forum application’s database user is permitted to run. The issue has been publicly disclosed and exploits are available in the wild.

Affected Systems

This flaw affects the Simple IT Discussion Forum version 1.0 published by the code-projects organization. No other product versions or vendors are listed as impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, and the absence of an EPSS score or KEV listing suggests moderate exploitation pressure. However, the public availability of an exploit and the ability to reach the vulnerable endpoint directly from the Internet make this a realistic threat. An attacker would target the /functions/addcomment.php endpoint with a crafted postid value to manipulate the SQL query executed by the application.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Simple IT Discussion Forum

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Simple It Discussion Forum

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the vendor’s website for an official patch or newer release of Simple IT Discussion Forum.
If a patch is available, apply it immediately and verify the fix by testing the addcomment.php endpoint with valid and invalid postid values.
In the absence of an official fix, modify the application to use parameterized queries or escape all user-supplied data before embedding it in SQL statements.
Restrict access to the addcomment.php endpoint by implementing IP whitelisting or rate limiting on the web server.
Enable a web application firewall to detect and block SQL injection attempts, and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 9, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://code-projects.org/
https://github.com/lonelyuan/vunls/issues/7
https://vuldb.com/submit/788337
https://vuldb.com/vuln/356275
https://vuldb.com/vuln/356275/cti

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Code-projects Code-projects simple It Discussion Forum
Vendors & Products		Code-projects Code-projects simple It Discussion Forum

Thu, 09 Apr 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /functions/addcomment.php. The manipulation of the argument postid results in sql injection. The attack may be launched remotely. The exploit has been made public and could be used.
Title		code-projects Simple IT Discussion Forum addcomment.php sql injection
Weaknesses		CWE-74 CWE-89
References		https://code-projects.org/ https://github.com/lonelyuan/vunls/issues/7 https://vuldb.com/submit/788337 https://vuldb.com/vuln/356275 https://vuldb.com/vuln/356275/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Simple It Discussion Forum

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-09T01:00:18.710Z

Updated: 2026-04-09T01:00:18.710Z

Reserved: 2026-04-08T16:55:10.108Z

Link: CVE-2026-5828

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T02:16:17.533

Modified: 2026-04-09T02:16:17.533

Link: CVE-2026-5828

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object